Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5 into ubuntu/+source/bind9:debian/sid

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. disco-bind9-merge-9.11.5
  4. Merge into debian/sid
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 7d482c21f2a44a48e7b7467705f95eb3ffd5e5c4
Merge reported by: Andreas Hasenack
Merged at revision: 7d482c21f2a44a48e7b7467705f95eb3ffd5e5c4
Proposed branch: ~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 752 lines (+472/-83)
10 files modified
debian/bind9.install (+0/-2)
debian/changelog (+400/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+2/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+360691@code.launchpad.net

Description of the change

Merge from debian

Bileto ticket: https://bileto.ubuntu.com/#/ticket/3555

This is going to need some rebuilds, due to soname bumps:
- bind-dyndb-ldap
- isc-dhcp
- debian-installer

I tested all of them and isc-dhcp actually needed a patch to build with 9.11.5, which I grabbed from debian. I'll MP that too, and the other two are just plain no-change rebuilds.

Some delta was dropped, which is good.

Of the bits that were added, two are applied fixed upstream, so they should vanish soon, but the remaining one is a dep8 change we had to make because our autopkgtest farm doesn't have easy egress access. I tried for a while to come up with ways to detect that and skip the test in this case, which would be acceptable for debian I think, or even find out which resolver the system is using and pointing bind at it via a "forwarders" config directive, but it didn't work out as well as I had hoped. I couldn't even be sure if using a forwarder wasn't going to taint that particular dnssec test.

Since I had spent a lot of time on this already, I decided to just drop that test.

The only remaining delta we have, apart from this new dep8 change, is related to dependencies in universe.

This debian change made me think: https://salsa.debian.org/dns-team/bind9/commit/942705926bff715f1171c6b18fa4a3df54c013fc

It's this d/rules bit:
override_dh_shlibdeps:
 dh_shlibdeps
 # Downgrade libcrypto1.1-udeb dependency from 1.1.1 to 1.1.0
 # The udebs don't use any newer symbols, but due to them using
 # shlibs the dependency is generated anyway. This blocks migration
 # to testing until OpenSSL 1.1.1 is sorted out
 sed -i 's:libcrypto1.1-udeb (>= 1.1.1):libcrypto1.1-udeb (>= 1.1.0):' debian/*-udeb.substvars

Ubuntu has libcrypto1.1-udeb version 1.1.1a in disco:
 libcrypto1.1-udeb | 1.1.1a-1ubuntu2 | disco/main/debian-installer | amd64, arm64, armhf, i386, ppc64el, s390x

Debian too, at the moment:
libcrypto1.1-udeb | 1.1.1a-1 | unstable | amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, ppc64el, s390x

That sed line from d/rules no longer matches, because it's looking for 1.1.1, and both debian and ubuntu have 1.1.1a nowadays. It's a noop and not worth adding a delta for. Eventually debian will drop it.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

back to wip while I confirm that the reverse-depends can be rebuilt

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

All good

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

- All your considerations sound fine to me
- Neither the Debian nor the upstream changelog gave me other reasons to doubt this would be good
- Changes correctly retained/dropped
- yes to the egres test dropping
- patches added are upstream and seem safe

Strictly speaking the commit messages and changeelog could be slightly updated:
+ d/rules: don't build dnstap => add "... nor install dnstap.proto"
+ d/libdns1102.symbols: don't include dnstap symbols => is in d/libdns1104.symbols now
But that is up to you.

The autopkgtests look good, I think last cycle we also ran [1] against it.
I don't remember if that was helpful, if it was you might run that again before an upload.

All my feedback was ack/suggestion - so you already have my +1 on this - thanks for the Merge!

[1]: https://git.launchpad.net/qa-regression-testing/tree/scripts/test-bind9.py

review: Approve
~ahasenack/ubuntu/+source/bind9:disco-bind9-merge-9.11.5 updated
995f96b... by Andreas Hasenack

merge-changelogs

60f880e... by Andreas Hasenack

reconstruct-changelog

acc2688... by Andreas Hasenack

update-maintainer

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Good suggestions, particularly the libdns1104.symbols one. I remember I was amazed how git was able to track the patch across a file rename, but didn't think about checking the filename in the changelog message.

I push-forced these changes, sorry, but I wanted to keep the changelog auto-generated correctly via git ubuntu merge finish.

I'll next run the qa-regression tests.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ack to the changelog changes - thanks!

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Regarding the qa-regression-tests, I get 4 dnssec failures with the current version of bind in disco, and the same failures with the updated one:

9.11.4 (current in disco): https://pastebin.ubuntu.com/p/YDsd7sJbVs/
9.11.5 (this MP): https://pastebin.ubuntu.com/p/XbrmN5Y2G3/

Since it's the same tests that failed, it's no regression. I asked #security and #ubuntu-hardened if these are known failures.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded, thanks.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/bind9.install b/debian/bind9.install
index 26d595e..fd7f0f5 100644
--- a/debian/bind9.install
+++ b/debian/bind9.install
@@ -16,7 +16,6 @@ usr/sbin/genrandom
16usr/sbin/isc-hmac-fixup16usr/sbin/isc-hmac-fixup
17usr/sbin/named17usr/sbin/named
18usr/sbin/named-journalprint18usr/sbin/named-journalprint
19usr/sbin/named-nzd2nzf
20usr/sbin/named-pkcs1119usr/sbin/named-pkcs11
21usr/sbin/nsec3hash20usr/sbin/nsec3hash
22usr/sbin/tsig-keygen21usr/sbin/tsig-keygen
@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
32usr/share/man/man8/genrandom.831usr/share/man/man8/genrandom.8
33usr/share/man/man8/isc-hmac-fixup.832usr/share/man/man8/isc-hmac-fixup.8
34usr/share/man/man8/named-journalprint.833usr/share/man/man8/named-journalprint.8
35usr/share/man/man8/named-nzd2nzf.8
36usr/share/man/man8/named.834usr/share/man/man8/named.8
37usr/share/man/man8/nsec3hash.835usr/share/man/man8/nsec3hash.8
38usr/share/man/man8/tsig-keygen.836usr/share/man/man8/tsig-keygen.8
diff --git a/debian/changelog b/debian/changelog
index 1e26d11..91bda1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,42 @@
1bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - Build without lmdb support as that package is in Universe
5 - Don't build dnstap as it depends on universe packages:
6 + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
7 protobuf-c-compiler (universe packages)
8 + d/dnsutils.install: don't install dnstap
9 + d/libdns1104.symbols: don't include dnstap symbols
10 + d/rules: don't build dnstap nor install dnstap.proto
11 * Dropped:
12 - SECURITY UPDATE: denial of service crash when deny-answer-aliases
13 option is used
14 + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
15 trigger a crash if deny-answer-aliases was set
16 + debian/patches/CVE-2018-5740-2.patch: add tests
17 + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
18 chainingp correctly, add test
19 + CVE-2018-5740
20 [Fixed in new upstream version 9.11.5]
21 - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
22 line (Closes: #904983)
23 [Fixed in 1:9.11.4+dfsg-4]
24 - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
25 [Fixed in 1:9.11.4.P1+dfsg-1]
26 - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
27 (it depends on OpenSSL version) (Closes: #897643)
28 [Fixed in 1:9.11.4.P1+dfsg-1]
29 * Added:
30 - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
31 option (LP: #1804648)
32 - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
33 close to a query timeout (LP: #1797926)
34 - d/t/simpletest: drop the internetsociety.org test as it requires
35 network egress access that is not available in the Ubuntu autopkgtest
36 farm.
37
38 -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200
39
1bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium40bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
241
3 * Use team+dns@tracker.debian.org as Maintainer address42 * Use team+dns@tracker.debian.org as Maintainer address
@@ -59,6 +98,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
5998
60 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +020099 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200
61100
101bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
102
103 * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
104
105 -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100
106
107bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
108
109 * SECURITY UPDATE: denial of service crash when deny-answer-aliases
110 option is used
111 - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
112 trigger a crash if deny-answer-aliases was set
113 - debian/patches/CVE-2018-5740-2.patch: add tests
114 - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
115 chainingp correctly, add test
116 - CVE-2018-5740
117
118 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200
119
120bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
121
122 * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
123 (it depends on OpenSSL version) (Closes: #897643)
124
125 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200
126
127bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
128
129 * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
130 crashing on startup. (LP: #1769440)
131
132 -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700
133
134bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
135
136 * Merge with Debian unstable. Remaining changes:
137 - Build without lmdb support as that package is in Universe
138 * Added:
139 - Don't build dnstap as it depends on universe packages:
140 + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
141 protobuf-c-compiler (universe packages)
142 + d/dnsutils.install: don't install dnstap
143 + d/libdns1102.symbols: don't include dnstap symbols
144 + d/rules: don't build dnstap
145 - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
146 line (Closes: #904983)
147
148 -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
149
62bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium150bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
63151
64 * Enable IDN support for dig+host using libidn2 (Closes: #459010)152 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
@@ -89,6 +177,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
89177
90 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000178 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
91179
180bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
181
182 * Merge with Debian unstable (LP: #1777935). Remaining changes:
183 - Build without lmdb support as that package is in Universe
184 * Drop:
185 - SECURITY UPDATE: improperly permits recursive query service
186 + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
187 in bin/named/server.c.
188 + CVE-2018-5738
189 [Applied in Debian's 1:9.11.3+dfsg-2]
190
191 -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
192
92bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium193bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
93194
94 * [CVE-2018-5738]: Add upstream fix to close the default open recursion195 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
@@ -97,6 +198,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
97198
98 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000199 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
99200
201bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
202
203 * SECURITY UPDATE: improperly permits recursive query service
204 - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
205 in bin/named/server.c.
206 - CVE-2018-5738
207
208 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
209
210bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
211
212 * New upstream release. (LP: #1763572)
213 - fix a crash when configured with ipa-dns-install
214 * Merge from Debian unstable. Remaining changes:
215 - Build without lmdb support as that package is in Universe
216
217 -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
218
100bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium219bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
101220
102 [ Bernhard Schmidt ]221 [ Bernhard Schmidt ]
@@ -121,6 +240,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
121240
122 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100241 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
123242
243bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
244
245 * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
246 DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
247 <marka@isc.org>. (LP: #1755439)
248
249 -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
250
251bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
252
253 * Fix apparmor profile filename (LP: #1754981)
254
255 -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
256
257bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
258
259 * No change rebuild against openssl1.1.
260
261 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
262
263bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
264
265 * Build without lmdb support as that package is in Universe (LP: #1746296)
266 - d/control: remove Build-Depends on liblmdb-dev
267 - d/rules: configure --without-lmdb
268 - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
269 lmdb.
270
271 -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
272
273bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
274
275 * Merge with Debian unstable (LP: #1744930).
276 * Drop:
277 - Add RemainAfterExit to bind9-resolvconf unit configuration file
278 (LP #1536181).
279 [fixed in 1:9.10.6+dfsg-4]
280 - rules: Fix path to libsofthsm2.so. (LP #1685780)
281 [adopted in 1:9.10.6+dfsg-5]
282 - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
283 introduced with the CVE-2016-8864.patch and fixed in
284 CVE-2016-8864-regression.patch.
285 [applied upstream]
286 - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
287 regression (RT #44318) introduced with the CVE-2016-8864.patch
288 and fixed in CVE-2016-8864-regression2.patch.
289 [applied upstream]
290 - d/control, d/rules: add json support for the statistics channels.
291 (LP #1669193)
292 [adopted in 1:9.10.6+dfsg-5]
293 * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
294 listing the python ply module as a dependency (Closes: #888463)
295
296 -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
297
124bind9 (1:9.11.2.P1-1) unstable; urgency=medium298bind9 (1:9.11.2.P1-1) unstable; urgency=medium
125299
126 * New upstream version 9.11.2-P1300 * New upstream version 9.11.2-P1
@@ -296,6 +470,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
296470
297 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000471 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
298472
473bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
474
475 * Merge with Debian unstable (LP: #1712920). Remaining changes:
476 - Add RemainAfterExit to bind9-resolvconf unit configuration file
477 (LP #1536181).
478 - rules: Fix path to libsofthsm2.so. (LP #1685780)
479 - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
480 introduced with the CVE-2016-8864.patch and fixed in
481 CVE-2016-8864-regression.patch.
482 - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
483 regression (RT #44318) introduced with the CVE-2016-8864.patch
484 and fixed in CVE-2016-8864-regression2.patch.
485 - d/control, d/rules: add json support for the statistics channels.
486 (LP #1669193)
487
488 -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
489
490bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
491
492 * Non-maintainer upload.
493 * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
494
495 -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
496
497bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
498
499 * Merge with Debian unstable (LP: #1701687). Remaining changes:
500 - Add RemainAfterExit to bind9-resolvconf unit configuration file
501 (LP #1536181).
502 - rules: Fix path to libsofthsm2.so. (LP #1685780)
503 * Drop:
504 - SECURITY UPDATE: denial of service via assertion failure
505 + debian/patches/CVE-2016-2776.patch: properly handle lengths in
506 lib/dns/message.c.
507 + CVE-2016-2776
508 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
509 - SECURITY UPDATE: assertion failure via class mismatch
510 + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
511 records in lib/dns/resolver.c.
512 + CVE-2016-9131
513 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
514 - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
515 + debian/patches/CVE-2016-9147.patch: fix logic when records are
516 returned without the requested data in lib/dns/resolver.c.
517 + CVE-2016-9147
518 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
519 - SECURITY UPDATE: assertion failure via unusually-formed DS record
520 + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
521 lib/dns/message.c, lib/dns/resolver.c.
522 + CVE-2016-9444
523 + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
524 - SECURITY UPDATE: regression in CVE-2016-8864
525 + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
526 responses in lib/dns/resolver.c, added tests to
527 bin/tests/system/dname/ns2/example.db,
528 bin/tests/system/dname/tests.sh.
529 + No CVE number
530 + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
531 - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
532 a NULL pointer
533 + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
534 combination in bin/named/query.c, lib/dns/message.c,
535 lib/dns/rdataset.c.
536 + CVE-2017-3135
537 + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
538 - SECURITY UPDATE: regression in CVE-2016-8864
539 + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
540 was still being cached when it should have been in lib/dns/resolver.c,
541 added tests to bin/tests/system/dname/ans3/ans.pl,
542 bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
543 + No CVE number
544 + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
545 - SECURITY UPDATE: Denial of Service due to an error handling
546 synthesized records when using DNS64 with "break-dnssec yes;"
547 + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
548 called.
549 + CVE-2017-3136
550 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
551 - SECURITY UPDATE: Denial of Service due to resolver terminating when
552 processing a response packet containing a CNAME or DNAME
553 + debian/patches/CVE-2017-3137.patch: don't expect a specific
554 ordering of answer components; add testcases.
555 + CVE-2017-3137
556 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
557 - SECURITY UPDATE: Denial of Service when receiving a null command on
558 the control channel
559 + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
560 command token is given; add testcase.
561 + CVE-2017-3138
562 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
563 - SECURITY UPDATE: TSIG authentication issues
564 + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
565 lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
566 + CVE-2017-3142
567 + CVE-2017-3143
568 + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
569 * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
570 introduced with the CVE-2016-8864.patch and fixed in
571 CVE-2016-8864-regression.patch.
572 * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
573 regression (RT #44318) introduced with the CVE-2016-8864.patch
574 and fixed in CVE-2016-8864-regression2.patch.
575 * d/control, d/rules: add json support for the statistics channels.
576 (LP: #1669193)
577
578 -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
579
580bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
581
582 * Non-maintainer upload.
583 * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
584 signed TCP message sequences where not all the messages contain TSIG
585 records. These may be used in AXFR and IXFR responses.
586 (Closes: #868952)
587
588 -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
589
590bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
591
592 * Non-maintainer upload.
593
594 [ Yves-Alexis Perez ]
595 * debian/patches:
596 - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
597 CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
598 transfers. An attacker may be able to circumvent TSIG authentication of
599 AXFR and Notify requests.
600 CVE-2017-3143: error in TSIG authentication can permit unauthorized
601 dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
602 signature for a dynamic update.
603 (Closes: #866564)
604
605 -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
606
299bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium607bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
300608
301 [ Bernhard Schmidt ]609 [ Bernhard Schmidt ]
@@ -402,6 +710,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
402710
403 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000711 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
404712
713bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
714
715 * SECURITY UPDATE: TSIG authentication issues
716 - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
717 lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
718 - CVE-2017-3142
719 - CVE-2017-3143
720
721 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
722
723bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
724
725 * rules: Fix path to libsofthsm2.so. (LP: #1685780)
726
727 -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
728
729bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
730
731 * SECURITY UPDATE: Denial of Service due to an error handling
732 synthesized records when using DNS64 with "break-dnssec yes;"
733 - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
734 called.
735 - CVE-2017-3136
736 * SECURITY UPDATE: Denial of Service due to resolver terminating when
737 processing a response packet containing a CNAME or DNAME
738 - debian/patches/CVE-2017-3137.patch: don't expect a specific
739 ordering of answer components; add testcases.
740 - CVE-2017-3137
741 * SECURITY UPDATE: Denial of Service when receiving a null command on
742 the control channel
743 - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
744 command token is given; add testcase.
745 - CVE-2017-3138
746
747 -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
748
749bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
750
751 * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
752 a NULL pointer
753 - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
754 combination in bin/named/query.c, lib/dns/message.c,
755 lib/dns/rdataset.c.
756 - CVE-2017-3135
757 * SECURITY UPDATE: regression in CVE-2016-8864
758 - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
759 was still being cached when it should have been in lib/dns/resolver.c,
760 added tests to bin/tests/system/dname/ans3/ans.pl,
761 bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
762 - No CVE number
763
764 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
765
766bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
767
768 * SECURITY UPDATE: assertion failure via class mismatch
769 - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
770 records in lib/dns/resolver.c.
771 - CVE-2016-9131
772 * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
773 - debian/patches/CVE-2016-9147.patch: fix logic when records are
774 returned without the requested data in lib/dns/resolver.c.
775 - CVE-2016-9147
776 * SECURITY UPDATE: assertion failure via unusually-formed DS record
777 - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
778 lib/dns/message.c, lib/dns/resolver.c.
779 - CVE-2016-9444
780 * SECURITY UPDATE: regression in CVE-2016-8864
781 - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
782 responses in lib/dns/resolver.c, added tests to
783 bin/tests/system/dname/ns2/example.db,
784 bin/tests/system/dname/tests.sh.
785 - No CVE number
786
787 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
788
789bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
790
791 * Add RemainAfterExit to bind9-resolvconf unit configuration file
792 (LP: #1536181).
793
794 -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
795
796bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
797
798 * SECURITY UPDATE: denial of service via assertion failure
799 - debian/patches/CVE-2016-2776.patch: properly handle lengths in
800 lib/dns/message.c.
801 - CVE-2016-2776
802
803 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
804
405bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium805bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
406806
407 * Non-maintainer upload.807 * Non-maintainer upload.
diff --git a/debian/control b/debian/control
index 73c2a17..3d7f03d 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: bind91Source: bind9
2Section: net2Section: net
3Priority: optional3Priority: optional
4Maintainer: Debian DNS Team <team+dns@tracker.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
5Uploaders: LaMont Jones <lamont@debian.org>,6Uploaders: LaMont Jones <lamont@debian.org>,
6 Michael Gilbert <mgilbert@debian.org>,7 Michael Gilbert <mgilbert@debian.org>,
7 Robie Basak <robie.basak@canonical.com>,8 Robie Basak <robie.basak@canonical.com>,
@@ -15,18 +16,14 @@ Build-Depends: bison,
15 dpkg-dev (>= 1.16.1~),16 dpkg-dev (>= 1.16.1~),
16 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],17 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
17 libdb-dev (>>4.6),18 libdb-dev (>>4.6),
18 libfstrm-dev,
19 libgeoip-dev (>= 1.4.6.dfsg-5),19 libgeoip-dev (>= 1.4.6.dfsg-5),
20 libidn2-dev,20 libidn2-dev,
21 libjson-c-dev,21 libjson-c-dev,
22 libkrb5-dev,22 libkrb5-dev,
23 libldap2-dev,23 libldap2-dev,
24 liblmdb-dev,
25 libprotobuf-c-dev,
26 libssl-dev,24 libssl-dev,
27 libtool,25 libtool,
28 libxml2-dev,26 libxml2-dev,
29 protobuf-c-compiler,
30 python3,27 python3,
31 python3-distutils,28 python3-distutils,
32 python3-ply29 python3-ply
diff --git a/debian/dnsutils.install b/debian/dnsutils.install
index 90e4fba..5e6b7d9 100644
--- a/debian/dnsutils.install
+++ b/debian/dnsutils.install
@@ -1,12 +1,10 @@
1usr/bin/delv1usr/bin/delv
2usr/bin/dig2usr/bin/dig
3usr/bin/dnstap-read
4usr/bin/mdig3usr/bin/mdig
5usr/bin/nslookup4usr/bin/nslookup
6usr/bin/nsupdate5usr/bin/nsupdate
7usr/share/man/man1/delv.16usr/share/man/man1/delv.1
8usr/share/man/man1/dig.17usr/share/man/man1/dig.1
9usr/share/man/man1/dnstap-read.1
10usr/share/man/man1/mdig.18usr/share/man/man1/mdig.1
11usr/share/man/man1/nslookup.19usr/share/man/man1/nslookup.1
12usr/share/man/man1/nsupdate.110usr/share/man/man1/nsupdate.1
diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols
index a3b9f10..7b6020e 100644
--- a/debian/libdns1104.symbols
+++ b/debian/libdns1104.symbols
@@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
358 dns_dsdigest_format@Base 1:9.11.3+dfsg358 dns_dsdigest_format@Base 1:9.11.3+dfsg
359 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg359 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
360 dns_dsdigest_totext@Base 1:9.11.3+dfsg360 dns_dsdigest_totext@Base 1:9.11.3+dfsg
361 dns_dt_attach@Base 1:9.11.4+dfsg-2
362 dns_dt_close@Base 1:9.11.4+dfsg-2
363 dns_dt_create@Base 1:9.11.4+dfsg-2
364 dns_dt_datatotext@Base 1:9.11.4+dfsg-2
365 dns_dt_detach@Base 1:9.11.4+dfsg-2
366 dns_dt_getframe@Base 1:9.11.4+dfsg-2
367 dns_dt_getstats@Base 1:9.11.4+dfsg-2
368 dns_dt_open@Base 1:9.11.4+dfsg-2
369 dns_dt_parse@Base 1:9.11.4+dfsg-2
370 dns_dt_reopen@Base 1:9.11.4+dfsg-2
371 dns_dt_send@Base 1:9.11.4+dfsg-2
372 dns_dt_setidentity@Base 1:9.11.4+dfsg-2
373 dns_dt_setversion@Base 1:9.11.4+dfsg-2
374 dns_dt_shutdown@Base 1:9.11.4+dfsg-2
375 dns_dtdata_free@Base 1:9.11.4+dfsg-2
376 dns_dumpctx_attach@Base 1:9.11.3+dfsg361 dns_dumpctx_attach@Base 1:9.11.3+dfsg
377 dns_dumpctx_cancel@Base 1:9.11.3+dfsg362 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
378 dns_dumpctx_db@Base 1:9.11.3+dfsg363 dns_dumpctx_db@Base 1:9.11.3+dfsg
@@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
1443 dns_zt_setviewcommit@Base 1:9.11.3+dfsg1428 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
1444 dns_zt_setviewrevert@Base 1:9.11.3+dfsg1429 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
1445 dns_zt_unmount@Base 1:9.11.3+dfsg1430 dns_zt_unmount@Base 1:9.11.3+dfsg
1446 dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
1447 dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
1448 dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
1449 dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
1450 dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
1451 dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
1452 dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
1453 dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
1454 dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
1455 dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
1456 dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
1457 dnstap__message__init@Base 1:9.11.4+dfsg-2
1458 dnstap__message__pack@Base 1:9.11.4+dfsg-2
1459 dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
1460 dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
1461 dnstap__message__unpack@Base 1:9.11.4+dfsg-2
1462 dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
1463 dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
1464 dst__entropy_getdata@Base 1:9.11.3+dfsg1431 dst__entropy_getdata@Base 1:9.11.3+dfsg
1465 dst__entropy_status@Base 1:9.11.3+dfsg1432 dst__entropy_status@Base 1:9.11.3+dfsg
1466 dst__gssapi_init@Base 1:9.11.3+dfsg1433 dst__gssapi_init@Base 1:9.11.3+dfsg
@@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER#
1940 dns_dsdigest_format@Base 1:9.11.3+dfsg1907 dns_dsdigest_format@Base 1:9.11.3+dfsg
1941 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg1908 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
1942 dns_dsdigest_totext@Base 1:9.11.3+dfsg1909 dns_dsdigest_totext@Base 1:9.11.3+dfsg
1943 dns_dt_attach@Base 1:9.11.4+dfsg-2
1944 dns_dt_close@Base 1:9.11.4+dfsg-2
1945 dns_dt_create@Base 1:9.11.4+dfsg-2
1946 dns_dt_datatotext@Base 1:9.11.4+dfsg-2
1947 dns_dt_detach@Base 1:9.11.4+dfsg-2
1948 dns_dt_getframe@Base 1:9.11.4+dfsg-2
1949 dns_dt_getstats@Base 1:9.11.4+dfsg-2
1950 dns_dt_open@Base 1:9.11.4+dfsg-2
1951 dns_dt_parse@Base 1:9.11.4+dfsg-2
1952 dns_dt_reopen@Base 1:9.11.4+dfsg-2
1953 dns_dt_send@Base 1:9.11.4+dfsg-2
1954 dns_dt_setidentity@Base 1:9.11.4+dfsg-2
1955 dns_dt_setversion@Base 1:9.11.4+dfsg-2
1956 dns_dt_shutdown@Base 1:9.11.4+dfsg-2
1957 dns_dtdata_free@Base 1:9.11.4+dfsg-2
1958 dns_dumpctx_attach@Base 1:9.11.3+dfsg1910 dns_dumpctx_attach@Base 1:9.11.3+dfsg
1959 dns_dumpctx_cancel@Base 1:9.11.3+dfsg1911 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
1960 dns_dumpctx_db@Base 1:9.11.3+dfsg1912 dns_dumpctx_db@Base 1:9.11.3+dfsg
@@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER#
3032 dns_zt_setviewcommit@Base 1:9.11.3+dfsg2984 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
3033 dns_zt_setviewrevert@Base 1:9.11.3+dfsg2985 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
3034 dns_zt_unmount@Base 1:9.11.3+dfsg2986 dns_zt_unmount@Base 1:9.11.3+dfsg
3035 dnstap__dnstap__descriptor@Base 1:9.11.4+dfsg-2
3036 dnstap__dnstap__free_unpacked@Base 1:9.11.4+dfsg-2
3037 dnstap__dnstap__get_packed_size@Base 1:9.11.4+dfsg-2
3038 dnstap__dnstap__init@Base 1:9.11.4+dfsg-2
3039 dnstap__dnstap__pack@Base 1:9.11.4+dfsg-2
3040 dnstap__dnstap__pack_to_buffer@Base 1:9.11.4+dfsg-2
3041 dnstap__dnstap__type__descriptor@Base 1:9.11.4+dfsg-2
3042 dnstap__dnstap__unpack@Base 1:9.11.4+dfsg-2
3043 dnstap__message__descriptor@Base 1:9.11.4+dfsg-2
3044 dnstap__message__free_unpacked@Base 1:9.11.4+dfsg-2
3045 dnstap__message__get_packed_size@Base 1:9.11.4+dfsg-2
3046 dnstap__message__init@Base 1:9.11.4+dfsg-2
3047 dnstap__message__pack@Base 1:9.11.4+dfsg-2
3048 dnstap__message__pack_to_buffer@Base 1:9.11.4+dfsg-2
3049 dnstap__message__type__descriptor@Base 1:9.11.4+dfsg-2
3050 dnstap__message__unpack@Base 1:9.11.4+dfsg-2
3051 dnstap__socket_family__descriptor@Base 1:9.11.4+dfsg-2
3052 dnstap__socket_protocol__descriptor@Base 1:9.11.4+dfsg-2
3053 dst__entropy_getdata@Base 1:9.11.3+dfsg2987 dst__entropy_getdata@Base 1:9.11.3+dfsg
3054 dst__entropy_status@Base 1:9.11.3+dfsg2988 dst__entropy_status@Base 1:9.11.3+dfsg
3055 dst__gssapi_init@Base 1:9.11.3+dfsg2989 dst__gssapi_init@Base 1:9.11.3+dfsg
diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff
3056new file mode 1006442990new file mode 100644
index 0000000..5444ae7
--- /dev/null
+++ b/debian/patches/enable-udp-in-host-command.diff
@@ -0,0 +1,26 @@
1Description: Fix parsing of host(1)'s -U command line option
2Author: Andreas Hasenack <andreas@canonical.com>
3Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769
4Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648
5Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935
6Last-Update: 2018-12-06
7---
8This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
9--- a/bin/dig/host.c
10+++ b/bin/dig/host.c
11@@ -158,6 +158,7 @@
12 " -s a SERVFAIL response should stop query\n"
13 " -t specifies the query type\n"
14 " -T enables TCP/IP mode\n"
15+" -U enables UDP mode\n"
16 " -v enables verbose output\n"
17 " -V print version number and exit\n"
18 " -w specifies to wait forever for a reply\n"
19@@ -657,6 +658,7 @@
20 case 'N': break;
21 case 'R': break;
22 case 'T': break;
23+ case 'U': break;
24 case 'W': break;
25 default:
26 show_usage();
diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff
0new file mode 10064427new file mode 100644
index 0000000..f10f51f
--- /dev/null
+++ b/debian/patches/fix-shutdown-race.diff
@@ -0,0 +1,41 @@
1From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
3Date: Tue, 13 Nov 2018 13:50:47 +0100
4Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c
5
6If a tool using the routines defined in bin/dig/dighost.c is sent an
7interruption signal around the time a connection timeout is scheduled to
8fire, connect_timeout() may be executed after destroy_libs() detaches
9from the global task (setting 'global_task' to NULL), which results in a
10crash upon a UDP retry due to bringup_timer() attempting to create a
11timer with 'task' set to NULL. Fix by preventing connect_timeout() from
12attempting a retry when shutdown is in progress.
13
14(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b)
15
16Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs
17Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599
18Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926
19Last-Update: 2018-12-06
20
21---
22 bin/dig/dighost.c | 5 +++++
23 1 file changed, 5 insertions(+)
24diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
25index 39abb9d0fd..17e0328228 100644
26--- a/bin/dig/dighost.c
27+++ b/bin/dig/dighost.c
28@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
29
30 INSIST(!free_now);
31
32+ if (cancel_now) {
33+ UNLOCK_LOOKUP;
34+ return;
35+ }
36+
37 if ((query != NULL) && (query->lookup->current_query != NULL) &&
38 ISC_LINK_LINKED(query->lookup->current_query, link) &&
39 (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
40--
412.18.1
diff --git a/debian/patches/series b/debian/patches/series
index 348be41..75144c4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,5 @@
880_reproducible_build.diff880_reproducible_build.diff
9Add_--install-layout=deb_to_setup.py_call.patch9Add_--install-layout=deb_to_setup.py_call.patch
10skip-rtld-deepbind-for-dyndb.diff10skip-rtld-deepbind-for-dyndb.diff
11enable-udp-in-host-command.diff
12fix-shutdown-race.diff
diff --git a/debian/rules b/debian/rules
index 7edd414..1a22081 100755
--- a/debian/rules
+++ b/debian/rules
@@ -91,7 +91,7 @@ override_dh_auto_configure:
91 --with-gssapi=/usr \91 --with-gssapi=/usr \
92 --with-libidn2 \92 --with-libidn2 \
93 --with-libjson=/usr \93 --with-libjson=/usr \
94 --with-lmdb=/usr \94 --without-lmdb \
95 --with-gnu-ld \95 --with-gnu-ld \
96 --with-geoip=/usr \96 --with-geoip=/usr \
97 --with-atf=no \97 --with-atf=no \
@@ -101,7 +101,6 @@ override_dh_auto_configure:
101 --enable-native-pkcs11 \101 --enable-native-pkcs11 \
102 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \102 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
103 --with-randomdev=/dev/urandom \103 --with-randomdev=/dev/urandom \
104 --enable-dnstap \
105 --with-eddsa=no \104 --with-eddsa=no \
106 $(EXTRA_FEATURES)105 $(EXTRA_FEATURES)
107 dh_auto_configure -B build-udeb -- \106 dh_auto_configure -B build-udeb -- \
@@ -128,8 +127,6 @@ override_dh_auto_configure:
128 # no need to build these targets here127 # no need to build these targets here
129 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile128 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
130 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile129 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
131 cp lib/dns/dnstap.proto build/lib/dns
132 cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
133130
134override_dh_auto_build:131override_dh_auto_build:
135 dh_auto_build -B build132 dh_auto_build -B build
diff --git a/debian/tests/simpletest b/debian/tests/simpletest
index 468a7c5..34b0b25 100755
--- a/debian/tests/simpletest
+++ b/debian/tests/simpletest
@@ -10,10 +10,6 @@ setup() {
10run() {10run() {
11 # Make a query against a local zone11 # Make a query against a local zone
12 dig -x 127.0.0.1 @127.0.0.112 dig -x 127.0.0.1 @127.0.0.1
13
14 # Make a query against an external nameserver and check for DNSSEC validation
15 echo "Checking for DNSSEC validation status of internetsociety.org"
16 dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
17}13}
1814
19teardown() {15teardown() {

Subscribers

People subscribed via source and target branches